6 Portability of non- personal data, Interoperability and standards

Transcription

1 UK GOVERNMENT RESPONSE TO THE EUROPEAN COMMISSION'S CONSULTATION ON BUILDING THE EUROPEAN DATA ECONOMY Contents Executive Summary 1 Introduction 2 Localisation of data for storage and/or processing purposes 3 Emerging issues 4 Access to and re- use of non- personal data 5 Liability 6 Portability of non- personal data, Interoperability and standards 1

2 EXECUTIVE SUMMARY The UK recognizes the importance of data for the digital economy and welcomes the Commission's ambition to facilitate the free flow of data. Data Localisation While there may be areas where localisation of data is justified, such as for national security and carrying out law enforcement activities, data localisation has many negative consequences. It risks weakening data security by prioritising location above critical factors such as access controls and encryption. It can lock out SMEs and new market entrants, stifling competition and undermining the take- up of cloud computing services. In the long term, it may lead to the fragmentation of the Internet along national lines. There is a complex patchwork of existing EU law, making it difficult for SMEs and public authorities to assess what law or exemption might apply. The UK recommends a new Regulation to simplify and consolidate existing law and fill any gaps. Given the global nature of data markets, action on data localisation should maximise the benefits of data through a global and collaborative approach. Alongside a Regulation, action should be taken to address misperceptions of risks and raise awareness of cloud computing solutions. Emerging Issues The Commission seeks to explore facilitating access to data, liability arrangements, and portability of data. For all of these three areas, the UK believes it will be important to assess whether there is a market failure that requires a solution. Perceived problems may be due to data markets still being in the early stages of development. The Commission should also thoroughly assess the impact of any intervention, particularly the impact on innovation in developing data markets. One size fits all solution may not always be appropriate. Possible alternatives include guidance to encourage data sharing, technical solutions to facilitate it, and industry- led initiatives. 2

3 1 Introduction Importance of data The growth of the Internet, the increasing use of social media, and the widespread use of mobile phones and other smart technologies has resulted in more data being produced than ever before. At the same time, the lowering costs of collecting, storing and processing data - coupled with increasing computing power - are making data a rich raw material with great - still untapped - potential. This is creating new opportunities throughout society and the economy. Importance of secure data flows The Internet has become the key platform from which organisations and people throughout the world can connect, thus driving international cooperation and trade. Cross- border data flows are intrinsic to the ability to share information securely and access products and services globally. Remote access to IT services through cloud computing has transformed how people and businesses use technology. As well as creating economies of scale (e.g. reducing fixed capital costs), they can transform business performance. For example, they may improve back office functions and provide access to powerful analytical tools to create more tailored services for customers. Data is also driving new developments such as the Internet of Things, Smart Cities, and wearable technology. In addition, data will fuel future technologies such as Artificial Intelligence, 3D printing, and robotics. It is crucial that our data regime is both secure to protect privacy, and flexible to allow data to be used effectively. The right data regimes, including governance of advanced data techniques like AI and machine learning, safeguarding privacy, and cyber security, are critical to our future prosperity. UK, EU, and global data flows Our approach to combining privacy with flexibility to facilitate free flow of data is widely respected as world- leading. This has helped the UK to be at the forefront of global advancements in the data economy: We are a global leader in the data economy, accounting for 11.5 per cent of global cross- border flows - three- quarters of which are between the UK and other EU 3

4 Member States 1. The UK accounts for a high proportion of the value of the EU s digitally- deliverable service exports 2. Many global content service providers have significant infrastructure in the UK. Access to this is crucial for consumers throughout the EU. Our approach to free flow of data has made a crucial contribution to the global data economy. The UK believes that the free flow of data contributes significantly to innovation in digital service provision as well as across the economy more generally, and that an open, global approach to data flows will support EU competitiveness. There are very few aspects of our lives that have not been touched by the Internet and digital technologies, which are all driven by data storage and data flows. The UK government welcomes the Commission s dialogue with Member States and stakeholders and the opportunity to respond to its consultation on Building the European Data Economy. 2 Localisation of data for storage and/or processing purposes Increased use of data localisation measures Governments around the world are increasingly introducing data localisation requirements which can disrupt data flows by restricting where and how data may be stored, transferred, or processed. These policies are often driven by the impression that keeping data in a home country makes it more secure. People have an expectation that their data will be protected when it is transferred, processed, and stored in other countries. They also have legitimate concerns when this does not happen. It is important for public and private sector organisations to address these concerns and alleviate people s misgivings, striking the balance between keeping data safe, ensuring the right to privacy, and reaping the benefits that data can bring. There will be cases where data localisation is justified, and exemptions to any legislation on data localisation, which should otherwise be kept to a minimum, would be required. These include exemptions: - that are necessary and lawful in areas such as national security and law enforcement - that protect the ability of Member States law enforcement agencies to access data for legitimate needs as permitted by their particular domestic legislation 1 Frontier Economics for Tech UK (2017) 2 London Economics for DCMS (forthcoming) 4

5 - that ensure that when companies exercise their right of the free flow of data, they do not hinder the important principle that law enforcement agencies may have the right and ability to access data lawfully no matter where it is stored. Impact of data localisation Data Security Data security is not improved by data localisation but rather by, for example, effective cyber security, access controls, and encryption. 3 Data localisation can undermine data security and render data more vulnerable to cyber attacks. For example, data can be safer when stored across a number of locations, rather than just one place, as this makes it less vulnerable to outages and a single cyber attack. 4 Fostering trust and confidence in the services and protections offered by Cloud providers is vital. The Commission could explore building on work already undertaken as part of its 2012 strategy for unleashing the potential of cloud computing in Europe. Competition Data localisation is, we believe, anti- competitive, and runs contrary to Single Market principles. It can serve as a de facto trade barrier for businesses - especially SMEs - wishing to provide digital services in more than one Member State. Potentially prohibitive additional costs of duplicating physical storage facilities undermine the cost- effectiveness of cloud computing services, resulting in increased costs for end- users. Open Internet A more state- controlled approach by EU member states to where data can be stored, could - alongside action by third countries to restrict Internet use - have the unintended consequence of leading to the fragmentation of the Internet along national lines. This could threaten the freedom of EU citizens to exchange information, and share ideas and other forms of expression, without geographic restriction. 3 See European Commission Staff Working Document on the free flow of data and emerging issues of the European data economy (2017), p.7 4 See Chander and Lê, le.pdf 5

6 Existing EU legislation The Commission Communication notes that any current or new data localisation restrictions would need to be carefully justified under existing Treaty provisions on the free movement of services and the freedom of establishment and permissible under other relevant EU law such as the GDPR. Directive 2000/31/EC (the E- commerce Directive), Directive 2006/123/EC (the Services Directive) and, as regards draft technical regulations and draft rules on Information Society Services, Directive 2015/1535 (the Transparency Directive) could also be relevant to consider in the context of maintaining data flows within the single market. This means there are at least four separate legislative instruments that may be relevant (see box below), none of which explicitly sets out a regime for data storage and which have different objectives, different scopes, and different exemptions, with some exemptions listed in a separate annex to that legislation. Most organisations (including public authorities and SMEs) would find it hard to navigate and understand all the legislation. We believe a new regulation is needed to simplify the landscape, by consolidating and clarifying existing requirements and filling any gaps in the current framework. Summary of existing secondary legislation General Data Protection Regulation (Regulation 2016/679) This prohibits restrictions on the free flow of personal data within the EU for the purposes of protecting personal data. This does not apply to non- personal data, or restrictions of free flow for other reasons. The GDPR will also ensure protection for personal data when it is processed outside the EU. Services Directive (2006) Directive 2006/123/EC This sets out rules to govern the single market for services within the EU. Several sectors are exempted from the Directive, such as financial services; transport; electronic communications if they fall under the scope of one of five listed EU instruments; and gambling. It also only applies to providers established in a Member State. Companies established outside of the EU are not covered by the Directive. Parts of the Directive do not apply to matters concerning the processing and free movement of personal data. 6

7 Transparency Directive : Directive (EU) 2015/1535 Member States must notify to the Commission certain technical regulations they plan to impose on information society services to check whether they restrict the free movement of services. There is a list of exemptions, including matters in the field of financial services; and companies under Directive 2002/21/EC such as electronic communications services and networks are also exempt. Electronic Commerce Directive (Directive 2000/31/EC) This provides that Member States may not restrict the freedom to provide information society services (ISS) from another Member State. However, the Directive also allows for Member States to take action against an ISS based in another member state, but only after following a strict procedure, including for protection of consumers and public policy. Global data flows Data flows have become an integral part of international business models, where the secure transfer, accessing, processing and storing of data across borders is a vital part of everyday business. They are vital for global competitiveness, and yet restrictions to global data flows are still a very real barrier for businesses. Given this global nature of data markets, action against data localisation should maximise the benefits of data through a global and collaborative approach. The Commission should explore how to enable data flows between the EU and third countries, for example considering the possible role of EU trade agreements with third countries and multilateral agreements. Provisions specifically on data flows and storage already exist in a range of trade agreements. The WTO Understanding on Commitments in Financial Services (FS), for example, is a multi- country agreement that includes commitments on the free flow of data and anti- data localisation in the FS sector. Negotiations of other agreements are discussing data flows. For example, ambitious data proposals were agreed by Trans Pacific Partnership (TPP) parties that included provisions on safe data flows, anti- data localisation, and noted the importance of domestic data protection regimes. 7

8 Localisation through public procurement The European Commission has flagged examples where laws, rules, and guidance in member states could result in data localisation. There is also the potential for, often unintentional, data localisation to happen when public authorities contract out IT and cloud- based services. This will require a two- pronged response of a data localisation regulation supported by awareness raising and guidance for the EU public procurement community. UK proposed action to address unjustified data localisation We support balanced and proportionate proposals that maintain the social and economic benefits of an open, interconnected Internet, underpinned by free flowing data. Action should not undermine the balance of competences and must be in line with better regulation principles. It should also ensure a coherent landscape for data, in particular by aligning with the General Data Protection Regulation (GDPR). More specifically we propose: 1. The European Commission proposes a new consolidating regulation which provides clarity and legal certainty, with exemptions that are necessary and lawful for the public interest (such as national security and law enforcement). To be effective, this should be accompanied by awareness raising in member states and an enforcement regime with clear avenues of recourse. The Commission should also allow public authorities sufficient time to adapt their practices. 2. The European Commission works with member states and stakeholders to address misconceptions and engender public trust, building on the Commission s ongoing work to unleash the power of cloud computing in Europe. 3. The European Commission works with the public procurement community to focus on setting out functional requirements and security principles on data storage. 4. European rules should not introduce barriers to trade or provoke the fragmentation of the global market, and the European Commission should consider action on data localisation which maximises the benefits of data through global and collaborative approaches, such as the possible role of EU trade agreements with third countries and other multilateral agreements. 8

9 3 Emerging issues The Communication sets out a number of possible ways forward to address emerging issues around how companies and other market players access data, the rules on liability in the data economy, and the portability of non- personal data. Data markets are nascent and rapidly evolving, and similarly issues relating to product liability are also evolving as a consequence of increasingly complex, interconnected technology. Before looking to develop new interventions, we need to understand how data markets work and identify where there are market failures. Premature intervention, particularly one size fits all solutions, could have profound long term implications for the development of data markets. It will take time for market solutions to emerge, but there are already some positive signs e.g. blockchain looks set to revolutionise how data is accessed. Similarly, data sharing groups are developing solutions to sharing commercial valuable data. 4 Access to and re- use of non- personal data Business to Business When businesses share data, it is usually for mutual benefit, determined by commercial negotiation and agreed contract terms. Therefore, any intervention must address an identified market failure. Some of the data access issues set out in the communication may result from the normal dynamic of an emerging and evolving market. In some cases the market or a particular sector may be able to find solutions or regulate itself; though the implications of technologies being used across sectors will need to be considered. Possible options put forward by the Commission Issuing guidance on incentivising businesses to share data and how non- personal data control rights should be addressed in contracts The Commission could explore potential benefits to issuing guidance for business on data sharing and contracts and whether there is a need for this. Developing technical solutions for identification and exchange of data - for example: broader use of APIs, including guidance and best practice and making data available in machine- readable formats and the provision of meta- data. Application Program Interfaces (APIs) allow applications to share data in an easily 9

10 understandable format without requiring developers to share all of their software s code. The UK is the first country to start work on an Open Banking API to help people find out what bank account is best for them. We believe APIs could be appropriate for other sectors, and this should be explored, with a focus on industry- led approaches. Default rules for data contracts, and an unfairness control in B2B contracts and standard contract terms, would invalidate clauses that deviate from default rules; thus lowering legal barriers to SMEs and rebalance bargaining positions It is worth evaluating how we might address any potential imbalances of power, reduce legal costs for drawing up data- sharing contracts, and provide increased legal certainty. Similarly, options could be explored as to how we might prevent lock- in in order to achieve a more competitive market. Granting public authorities access to data to improve the functioning of the public sector and scientific purposes (e.g. access to business data by statistical bodies, access to data for traffic management, and data for scientific research) The Commission should consider how best to balance the various important considerations and interests in this area. The UK leads the world in open data and is committed to being open by default. All official statistics are now published under the open government licence and we have made over 40,000 government datasets available through our data.gov.uk web- portal. Through the Digital Economy Bill, we are modernising legislation to enable access to data held by businesses and others for defined public interest purposes within government. This will allow government to improve the lives of citizens who are in need of support through better targeted services. Data producer's right to use and authorise use of non- personal data We would like to see more evidence of the need for a new authorisation right along these lines and an assessment of its impact on business and innovation. We would also recommend the Commission carefully considers how such a right would operate alongside other rights the sui generis database, copyright, and other such protective measures the EU has previously put in place. A framework, based on fair, reasonable and non- discriminatory terms, for data holders to provide access to data they hold after anonymisation. While we understand the value of opening up such data, we must recognise the 10

11 importance of respect for intellectual property rights, and maintaining incentives for the collection and creation of data. 5 Liability Extra- contractual liabilities: IoT and robotic products and services We believe more analysis is needed on where there would be extra- contractual liabilities in automated systems. Possible options put forward by the Commission Review of the EU Product Liability Directive and other EU rules on liability in the context of autonomous connected systems We support the review of current EU rules in order to ensure they provide a framework to deal with liability within automated systems. Assigning liability to the player generating the risk or those best placed to minimise or avoid the risk It will be important to assess the consequences of assigning liability to either the party generating the risk or the party best placed to minimise or avoid it. Robust evidence of a need for action should be gathered before limiting the freedom to balance the risk between parties. Parties can already use indemnity clauses to commit to compensate another party for the consequences of a specific event. Voluntary or mandatory insurance schemes to compensate damaged parties The Commission should work with industry and insurance experts to ascertain if the proposal for voluntary or mandatory insurance is a practical solution. The UK is already taking key steps in this area: the Vehicle Technology and Aviation Bill, which is progressing through the UK Parliament, will extend the compulsory motor insurance requirement to include automated vehicle owners. 11

12 6 Portability of non- personal data, Interoperability and standards The Commission has identified two possible means of facilitating service switching: the development of standard contract terms and rights to portability of non- personal data. Data portability can help facilitate consumers to switch service providers, which in turn can promote competition. The UK is in favour of allowing consumers to access and transfer their data from one service provider to another this drives competition and innovation as well as empowering consumers. The midata programme, launched in 2011, brought together business, consumer and privacy groups in a scheme to give consumers access to portable and electronic formats of data held about them by companies. Giving consumers access to their personal data in this safe and secure way enables them to make more informed choices on the products and services they buy and gives companies opportunities to innovate, creating further growth in the digital economy. The UK is the first country to start work on developing an Open Banking API that uses data to provide helpful information to consumers when using banking services. However, we must be careful not to promote portability through over- prescriptive common standards; this could stifle innovation and be a disincentive for industry to develop new products and services. We should also be careful to avoid creating unnecessary and disproportionate additional costs and burdens for business as a result of creating a right to portability of non- personal data. 12